DE102009039098A1 - Method for operating communication network, involves accessing communication network which is provided perpendicularly, if predetermined data communication takes place inside communication network - Google Patents

Abstract

The method involves accessing the communication network which is provided perpendicularly, if the predetermined data communication takes place inside the communication network. The data traffic between the terminal and the computer of the communication network is examined on the provision of the predetermined data communication. Independent claims are also included for the following: (1) a computer program product comprises an internal storage; and (2) a computer for use in a communication network.

Description

The invention relates to a method for operating a communication network, a computer program product and a computer for use in a communication network, in particular an access computer or an authentication computer.

In order to realize access protection, firewalls are also known. The basic function of a firewall is a network filter, which analyzes traffic at a border of the communication network and determines it according to a given network access policy (so-called policy). The network filter passes only allowed network traffic and blocks unauthorized network traffic.

Before a terminal is allowed access to a communication network, the user is authenticated. In a mobile radio system, a user is authenticated by means of his SIM card (SIM - Subscriber Identity Module). For example, in a wireless access computer, such as a wireless local area network (WLAN) with a web-based access portal, the user must enter their user name and password or access code. After authentication of the user access to the communication network, z. As the Internet or a mobile network granted.

To provide access to a communication network (eg, a corporate intranet or to the Internet) to a terminal (or user operating the terminal), terminals or their users are now authenticated by the communication network before access is allowed. Typically, cryptographic methods and password checks are used for this purpose.

In this context, the so-called Network Access Control (NAC) method is further known, in which an authentication and verification of a terminal and its configuration (eg a patch level of the operating system, a virus pattern, etc.) takes place before the terminal Access to the communication network, typically a company's intranet.

Before further access to a communication network is released, it is also known to check a machine certificate of the access requesting terminal.

In order not to maintain access for an indefinite time to a terminal once granted access to a communication network, it is further known to terminate the network access after a certain period of nonuse. This is known as "time-out".

In addition to the above-described access mechanisms to a communication network, there is still a need to supplement access protection based on cryptographic network access authentication. Such a need exists in particular for terminals (or their users) with a specific usage behavior, as occurs, for example, in a machine communication.

It is therefore an object of the present invention to provide a method for operating a communication network and a computer for use in a communication network, which provide a further improved and efficient access protection to a communication network. It is a further object of the present invention to provide a computer program product.

These objects are achieved by a method according to the features of patent claim 1, a computer program product according to the features of patent claim 14 and a computer according to the features of patent claim 15. Advantageous embodiments result from the dependent patent claims.

The invention provides a method for operating a communication network in which access granted to a terminal to the communication network is maintained in dependence on whether predetermined terminal-related data communication occurs within the communication network.

The invention further provides a computer for use in a communication network, in particular an access computer or an authentication computer, which is adapted to maintain access granted to a terminal to the communication network in dependence on whether a predetermined, the terminal concerned Data communication takes place within the communication network.

The invention is based on the fact that the terminal has already been granted access to the communication network. In this case, optionally one of the methods explained at the outset can be used. In order to further improve access protection, it is proposed to maintain the granted access only if a given data communication concerning the terminal takes place. In other words, this means that the terminal after the authentication or the Grant the access permission certain, expected things must do so that access to the communication network is still maintained.

Expediently, the data traffic between the terminal and a computer of the communication network is checked for the presence of the predetermined data communication.

If in the present description of a data communication is mentioned, so this is to be understood. The data communication may include some expected network traffic. The data communication may also include a predetermined sequence of commands exchanged between the terminal and the communication network.

According to a further expedient embodiment, the predetermined data communication to be checked is defined in a policy (so-called policy) of the communication network. The policy defines which network data communication is "mandatory" for a particular terminal (or user of the terminal), i. H. which data communication actually has to take place.

Optionally, the predetermined data communication relates to a data exchange taking place immediately after the establishment of the access to the communication network, which is checked. Alternatively or additionally, the predetermined data communication relates to a data exchange taking place in a predetermined time interval, which is checked. The data exchange can take place between the terminal and a computer of the communication network or any components within the communication network. In any case, however, the data communication concerns the specific terminal or its user.

According to a further expedient embodiment, the checking of the predetermined data communication takes place within a defined period of time after the establishment of the access to the communication network. If the predetermined data communication is not within the specified period of time, but only after that time, the access already granted to the terminal can again be blocked or revoked or restricted, similar to a time-out. Only if the predetermined data communication can be detected within the specified period of time does the access granted to the terminal to the communication network remain.

Alternatively or additionally, the verification of the predetermined data communication can take place several times, in particular at regular time intervals. The size of the regular intervals of the verification of the presence of the given data communication depends on the conditions of the communication network and, if applicable, on the access rights granted to the terminal. For example, the review can be done at least hourly or at least daily.

A further expedient embodiment provides that the access granted to the communication network is terminated when the predetermined data communication does not take place or can not be determined. Alternatively, the access granted to the communication network with regard to the rights of the terminal is restricted if the predetermined data communication does not take place or can not be determined. This allows a dynamic adaptation so-called. Allow deny network access policies according to the procedure of a firewall. Thus, this variant does not completely terminate the once granted access to the communication network, but restricts it only with respect to the rights or powers of the terminal and its user in the communication network.

In a further expedient embodiment, it is provided that the checking of the predetermined data communication is carried out by a computer of the communication network.

It is further provided that the predetermined data communication, in particular exchanged between the terminal and the communication network, comprises user data. The predetermined and thus expected data communication can be transmitted transparently to a computer of the communication network. This means that the expected data communication is passed through or blocked by an access computer of the communication network. The given traffic can also be tunnelled, z. As IP-in-IP traffic. This is then transmitted in the eingetunnelten form to the computer of the communication network, which is involved in the verification of the given data communication. In this variant, the terminal receives no direct access to the communication network, but for example, only limited access to a specific destination computer.

It is further provided that the predetermined data communication between the terminal and the communication network comprises authentication data.

According to a further expedient embodiment, the verification of the predetermined Data communication by a specific computer of a plurality of computers set up for checking the communication network, wherein the particular computer is assigned a charging function. As a result, the billing for the use of a network access, z. B. in a UMTS / WiMAX mobile radio system, carried out such that accounting data are assigned to that computer of the mobile system that has accepted a terminal. Accept means in this context that against this computer a successful authentication of the terminal was done. In this way, for example, a so-called M2M server (M2M - Machine to Machine) can decide which terminals or users it accepts. This M2M server or its operator will then be charged any fees incurred. This means that billing data for a user is assigned to the destination computer (M2M server) when it accepts a terminal.

The method according to the invention makes it possible to check and monitor the communication behavior of specific terminals in a communication network, based on expected communication patterns. This approach extends the scope of existing Policy Enforcement, as it is known at NAC, to dynamic policy compliance. In the method according to the invention, not only is a terminal statically checked at certain times, but the communication behavior can be continuously checked. The compliance with the guidelines can be carried out on the terminals without additional software, which in particular facilitates the use of the method according to the invention in older terminals. With the presented method, the billing of used services can then take place, instead of as previously by a mobile operator, by the provider of a service. Such a procedure is more flexible, since any Internet-based authentication methods can be used for the authentication of the terminal. The billing of the use of a service is also more efficient for a terminal in which only a very small amount of data and thus charges occurs.

The invention will be described in more detail below with reference to embodiments in the drawing. Show it:

1 the communication sequence in a communication network according to the inventive method in a successful logon in a first embodiment,

2 the communication sequence in a communication network according to the inventive method in an unsuccessful login in a first embodiment,

3 the communication process in a communication network according to the inventive method in a successful logon in a second embodiment,

4 the communication process in a communication network according to the inventive method in an unsuccessful login according to in the second embodiment,

5 a schematic representation of a communication network in which logs an M2M computer via a mobile network to a selected computer,

6 the communication sequence of an M2M computer with a communication network according to a first variant in a successful logon,

7 the communication process for the access of an M2M computer to a communication network according to a second variant in a successful logon,

8th the communication process for the access of an M2M computer to a communication network according to a first variant, wherein the network access is refused in an unsuccessful login, and

9 the communication process for the access of an M2M computer to a communication network according to a second variant, wherein the network access is denied in an unsuccessful login.

In the following exemplary embodiments, the method according to the invention for operating a communication network NET is described in various scenarios. All scenarios have in common that after the granting of a network access the maintenance or termination of the granted network access of a terminal C_A or M2M-M depends on whether a given data communication actually occurs. Which data communication is expected in order to maintain the once already granted network access is preferably stored in a guideline (so-called Network Usage Obligation Policy). This defines which data communication is "obligatory" for a particular terminal and thus must actually take place. In this case, the policy can permanently affect all communications or only part of the communication, preferably immediately after network access has been established.

• – der Aufbau einer Verbindung des Endgeräts zu einem Applikationsserver, der in einer Liste bekannter Applikationsserver enthalten ist, wie z. B. einem Remote Service-Rechner oder einem Machine-2-Machine-Kommunikationsserver (M2M-Server), der Diagnose- und Wartungsdaten von Maschinen, wie z. B. einer Turbine, erfasst;
• – Registrierung bei einem SIP-Server (SIP – Session Initiation Protocol) für Voice-Over-IP-Kommunikation innerhalb einer festgelegten Zeitspanne;
• – eine erfolgreiche Authentisierung gegenüber einem Applikationsserver;
• – eine erfolgreiche Anmeldung bei einem bekannten Domainserver;
• – ein VPN-Zugang (VPN – Virtual Private Network) zu einem Firmen-Intranet, z. B. über einen öffentlichen Hotspot, welcher erfolgreich aufgebaut wurde;
• – bestehende authentisierte und mittels SSL (Source Socket Lager) oder TLS (Transport Lager Security) geschützte Verbindungen zu einem M2M-Server. Unter einer „bestehenden Verbindung” wird hierbei verstanden, dass regelmäßig, z. B. mindestens alle fünf Minuten ein dazugehörendes Datenpaket übertragen wird;
• – Überprüfen bei einem Software-Update-Server auf das Vorliegen von Updates, wie z. B. Virenpattern oder Betriebssystem-Patches.

Examples of such a given data communication are:

• - Establishing a connection of the terminal to an application server that is included in a list of known application server, such. As a remote service computer or a machine-2-machine communication server (M2M server), the diagnostic and maintenance data of machines such. B. a turbine detected;
• - Registration with a SIP server (SIP - Session Initiation Protocol) for voice-over-IP communication within a specified period of time;
• A successful authentication against an application server;
• - a successful login to a known domain server;
• A VPN (Virtual Private Network) access to a corporate intranet, e.g. Via a public hotspot, which has been successfully established;
• - existing authenticated connections protected by SSL (Source Socket Storage) or TLS (Transport Bearing Security) to an M2M server. Under an "existing connection" is understood here that regularly, z. B. at least every five minutes a pertinent data packet is transmitted;
• - Check for a software update server for the presence of updates such. For example, virus patterns or operating system patches.

Common to these examples is that the terminal requesting access is directly or indirectly affected by the given communication.

The directive may stipulate that the verification of the given data communication must take place within a defined period of time after the network access of the terminal has been established and / or a regular check has to be carried out. The Directive may further specify that the granted network access will only remain valid if the verification showed that the given data communication actually took place. In the absence of the given data communication, it is not absolutely necessary that the network access for the terminal is completely blocked. Likewise, it may be stipulated in the Directive that a dynamic adaptation of the rights granted to the terminal takes place in a so-called Allow Deny Network Access Directive. The network access is then not completely terminated, but only restricted.

The 1 to 4 each show the inventive processes of data communication between a terminal C_A and a communication network NET, which includes an access computer AcS, a management computer (NAC / Obligation) NAC_O and an application computer (AppServer) AppS.

1 shows the process of logging the terminal C_A on the communication network NET and maintaining the granted access. Initially, the terminal C_A transmits a message S1 to the access computer AcS, with which access to the communication network is requested (Acquire Access). Subsequently, the access computer AcS transmits a message S2 to the management computer NAC_O, with which an access authorization is requested (Get Access Authorization). Optionally, a first timer can be started by the management computer NAC_O, with which the status of the terminal is checked according to a policy before the terminal is granted access. With a message, S3, which the management computer NAC_O transmits to the access computer AcS, the administration computer NAC_O grants access to a limited network area of the communication network (grant access to quarantine VLAN). At the same time, the management computer NAC_O requests a check in accordance with NAC in the message S3 (Require NAC check). The so-called NAC check includes, for example, the review of performance characteristics of the terminal C_A. After receiving the message S3, the access computer AcS grants the terminal C_A access to the restricted network area, the so-called quarantine network (also called quarantine VLAN). The access computer AcS transmits a message S4 to the terminal C_A, with which this is notified of the NAC check to be performed (Require NAC check). The terminal C_A replies in message S5 to this request (Response NAC check). This response is forwarded in message S6 from the access computer AcS to the management computer NAC_O. If this test was successful, the above first timer is ended.

At the same time, a new, second timer is started by the management computer NAC_O on the basis of a policy to check the status of the terminal after the lapse of a predetermined period of time in order to continue to grant the terminal C_A the access to the communication network (so-called productive network or productive VLAN). The administration computer NAC_O transmits a message S7 to the access computer AcS, with which the granted access to the so-called productive communication network is communicated (grant access to productive VLAN). At the same time, information is transmitted in message S7 which informs about the successful NAC check (NAC check passed). The access computer AcS allows receipt of the message S7 the terminal C_A access to the productive communication network. Furthermore, the access computer AcS transmits in the message S8, which is directed to the terminal C_A, that the NAC check was successful (NAC check passed).

In order to maintain the now granted full access to the productive communication network, it is necessary according to a fixed policy that the terminal C_A registers itself on the application computer AppS. For this purpose, the terminal C_A transmits a message S9 with such a registration (eg Register @ Application Server). The application computer confirms the registration in a message S10 (Confirm Registration). Thus, the second timer can be terminated because the predetermined data communication - the registration with the application computer - could be successfully detected.

The review comprising messages S9 and S10 may, as explained above, be repeated at regular intervals in the Directive. If the predetermined data communication described with the messages S9 and S10 then does not take place within the predetermined time limit, the network access can either be completely denied to the terminal C_A or a downgrading to the quarantine network can take place.

In the 1 A is the time range in which the terminal C_A only has access to the quarantine network. In the time range marked B, the terminal C_A is granted full rights.

2 shows a modified embodiment in which the application of the terminal C_A fails in the communication network NET. All data communication therefore runs in the Quarantine Network connected with restricted rights. The transmission of the messages S1 to 54 correspond to those in connection with 1 already explained messages or steps. Since, at the end of the timer started after receipt of the message S2, a response regarding the NAC check by the terminal C_A is omitted (messages S5 and S6 according to FIG 1 ), the management computer NAC_O denies access to the productive communication network, which is why the terminal C_A rights are granted only in the quarantine network. This is communicated to the access computer AcS in the message S5 by the management computer NAC_O (Deny access to productive VLAN, keep client in quarantine VLAN).

The 3 and 4 show a second embodiment of the use of the method according to the invention, wherein the communication network NET in addition to the access computer AcS, the management computer NAC_O and the application computer AppS has a CA computer. A Certification Authority (CA) machine is a device for managing security credentials (eg, cryptographic keys, certificates). In particular, he may revoke revocation information for a digital certificate, e.g. B. according to the X.509 standard, the terminal C_A provide. This can be done through a Certificate Revocation List (CRL) or through equivalent alternative methods, such as Online Certificate Status Protocol (OCSP). A Certificate Revocation List CRL lists revoked and invalidated certificates. As an alternative to requesting certificate revocation information, another method can also be used to determine whether a terminal C_A or the security credential used by it is valid while carrying out data communication. The messages or steps S1 to S10 correspond to those in connection with FIG 1 described steps. In contrast to the previous first embodiment according to 1 After the receipt of the message S9, the application computer AppS authenticates the terminal C_A using its certificate, whereby the certificate (including a CRL check) is verified. With the message S11 (Get CRL), which the application computer AppS transmits to the management computer NAC_O, a CRL is requested. For this purpose, the management computer NAC_O transmits a message S12 to the CA computer by requesting the CRL (Get CRL). With the message S13, which is transmitted from the CA computer to the management computer NAC_O, the CRL is provided, which is transmitted from the management computer NAC_O to the application computer AppS with the message S14.

Thus, in this embodiment, the policy does not relate to the data traffic originating from the terminal itself, but to data communication originated by the management computer and routed to other components of the communication network. In this example, the management computer must periodically query an up-to-date CRL list from the CA computer, which contains information about which device certificates have been revoked.

4 shows the case of the second embodiment according to 3 in that the CRL list is not transmitted by the CA computer CAS to the management computer NAC_O, whereupon further connection attempts of the terminal C_A for connection to the communication network in the productive network (B) are prevented. The terminal C_A is thus granted access only to the quarantine network A.

The method according to the invention also allows billing for the use of a network access, so that, for example, in a UMTS / WiMAX mobile radio system, the billing data can be assigned to that computer which has accepted a terminal (that is to say a user assigned to the terminal). This means that there was a successful authentication of the user against this computer. As a result, for example, a so-called machine-2-machine computer (M2M server) can decide which terminals (subscribers or users) it accepts. He and the operator of the M2M computer will be charged then incurred fees. For example, an M2M module may have a built-in machine SIM card for authenticating the M2M module to a mobile operator. This SIM card is not associated with a specific person to whom an invoice could be delivered.

For example, the user of such an M2M module may select and register with an M2M service provider, i. H. set up an account. The billing is then not by the operator of the mobile network, but by the provider of the M2M service. This is more flexible since any Internet-based authentication methods can be used for the authentication of the M2M user (terminal) (such as, for example, user name and password, digital certificate). Billing usage will also be more efficient for M2M users, who only have a very small volume of data and thus charging.

Furthermore, the result of a (successful or unsuccessful) authentication of an M2M module to an M2M server by the mobile radio network can be stored, i. H. assigned to the identifier of the M2M SIM card. In the case of repeated authentication attempts, this can be reacted to adaptively. So z. B. after a repeated failed authentication against a M2M computer network access for this M2M SIM card are stored.

5 shows a schematic representation of a scenario underlying this communication network. An M2M module M2M-M can be communicatively connected to one of by way of example two M2M computers M2M-S1, M2M-S2 via an exemplary mobile network MN. The M2M module M2M-M is connected to a device Dev. In the M2M module M2M-M, for example, a SIM card is integrated, via which the module can be authenticated relative to one of the two M2M computers M2M-S1, M2M-S2. The terminal Dev, z. B. in the form of a control system is via the M2M module with the mobile network, z. As the Internet, and thus the M2M computers M2M-S1, M2M-S2 connected.

6 shows the procedure for M2M access, in which the M2M computer M2M-S accepts a specific terminal. In this case, the M2M module initially authenticates itself with respect to the mobile network MN (MO). While being forwarded by the mobile network MN, after the network authentication, a message S1 is transmitted by the M2M module M2M-M to the M2M computer M2M-S, in which the M2M module M2M-M authenticates itself with respect to the M2M computer. In the mobile network, the address of the M2M computer M2M-S is stored (M1). In a message S2, the authentication of the M2M computer is confirmed with respect to the M2M module. In a step M2, the mobile network MN thus associates the M2M computer with the now running session. With the messages S3, S4 data are transmitted from the device Dev to the M2M module (S3) and from this to the M2M server M2M-S (S4). In the mobile network, a charging is performed in step M3, which is assigned to the M2M computer M2M-S. The messages S5, S6 and the step M4 correspond to the messages / steps S3, S4 and M3.

In the embodiment of 7 the terminal Dev authenticates itself to the M2M computer M2M-S instead of the M2M module M2M-M. Again, the M2M module has previously authenticated to the mobile network according to step MO. The billing takes place again against the M2M computer M2M-S, against which an authentication was successful. Incidentally, the procedure corresponds to that of the example of 6 ,

In the embodiment according to 8th according to the variant 6 corresponds, fails the authentication of the M2M module M2M-M with respect to the M2M computer M2M-S, whereby the M2M computer M2M-S transmits a corresponding message S2 (reject) to the M2M module M2M-M. Thereafter, the mobile network MN terminates the network access for this M2M module (step M5).

9 shows the failure of the authentication in the event that the device Dev authenticates itself to the M2M computer instead of the M2M module M2M-M ( 7 ).

Claims (16)

Method for operating a communications network (NET), in which access to the communications network (NET) granted to a terminal (C_A) is maintained in dependence on whether a predetermined data communication relating to the terminal (C_A) occurs within the communications network (NET) he follows. Method according to Claim 1, in which the data traffic between the terminal (C_A) and a computer (AppS) of the communication network (NET) is checked for the presence of the predetermined data communication. Method according to Claim 1 or 2, in which the predetermined data communication to be checked is defined in a guideline of the communication network (NET). Method according to one of the preceding claims, in which the predetermined data communication relates to a data exchange taking place immediately after the establishment of the access to the communication network, which is checked. Method according to one of the preceding claims, in which the predetermined data communication relates to a data exchange taking place in a predetermined time interval, which is checked. Method according to one of the preceding claims, in which the verification of the predetermined data communication takes place within a defined period of time after the establishment of the access to the communication network (NET). Method according to one of the preceding claims, in which the verification of the predetermined data communication takes place several times, in particular at regular time intervals. Method according to one of Claims 1 to 7, in which the access granted to the communications network (NET) is terminated if the predetermined data communication does not take place or can not be determined. Method according to one of Claims 1 to 7, in which the access granted to the communication network (NET) with regard to the rights of the terminal (C_A) is restricted if the predetermined data communication does not take place or can not be determined. Method according to one of the preceding claims, in which the verification of the predetermined data communication is performed by a computer (AcS, NAC_O) of the communication network. Method according to one of the preceding claims, in which the predetermined data communication, in particular between the terminal (C_A) and the communication network (NET) exchanged, comprises user data. Method according to one of the preceding claims, in which the predetermined data communication between the terminal and the communication network (NET) comprises authentication data. Method according to one of the preceding claims, wherein the verification of the predetermined data communication by a specific computer (M2M) of a plurality of set up for checking computers of the communication network (NET), wherein the particular computer (M2M) is assigned a charging function. A computer program product that can be loaded directly into the internal memory of a digital computer and includes software code portions that perform the steps of any one of the preceding claims when the product is run on a computer. Computer for use in a communication network (NET), in particular access computer or authentication computer, which is set up to maintain access to the communication network (NET) granted to a terminal (C_A) in dependence on whether a given network access service (C_A) Terminal (C_A) data communication within the communication network (NET) takes place. A computer according to claim 15, wherein it is arranged to perform the method according to one of claims 2 to 13.

Images